summaryrefslogtreecommitdiffstats
path: root/x11vnc/README
diff options
context:
space:
mode:
Diffstat (limited to 'x11vnc/README')
-rw-r--r--x11vnc/README49
1 files changed, 34 insertions, 15 deletions
diff --git a/x11vnc/README b/x11vnc/README
index 3fa8ac4..61b40f0 100644
--- a/x11vnc/README
+++ b/x11vnc/README
@@ -1,5 +1,5 @@
-x11vnc README file Date: Thu May 3 23:21:57 EDT 2007
+x11vnc README file Date: Sat May 5 10:47:52 EDT 2007
The following information is taken from these URLs:
@@ -10747,7 +10747,7 @@ x11vnc: a VNC server for real X displays
Here are all of x11vnc command line options:
% x11vnc -opts (see below for -help long descriptions)
-x11vnc: allow VNC connections to real X11 displays. 0.9.1 lastmod: 2007-05-03
+x11vnc: allow VNC connections to real X11 displays. 0.9.1 lastmod: 2007-05-05
x11vnc options:
-display disp -auth file -N
@@ -10861,7 +10861,7 @@ libvncserver-tight-extension options:
% x11vnc -help
-x11vnc: allow VNC connections to real X11 displays. 0.9.1 lastmod: 2007-05-03
+x11vnc: allow VNC connections to real X11 displays. 0.9.1 lastmod: 2007-05-05
(type "x11vnc -opts" to just list the options.)
@@ -12443,9 +12443,10 @@ Options:
Since this option switches userid it also affects the
userid used to run the processes for the -accept and
-gone options. It also affects the ability to read
- files for options such as -connect, -allow, and -remap.
- Note that the -connect file is also sometimes written
- to.
+ files for options such as -connect, -allow, and -remap
+ and also the ultra and tight filetransfer feature if
+ enabled. Note that the -connect file is also sometimes
+ written to.
So be careful with this option since in some situations
its use can decrease security.
@@ -12454,9 +12455,10 @@ Options:
if the display can still be successfully opened as that
user (this is primarily to try to guess the actual owner
of the session). Example: "-users fred,wilma,betty".
- Note that a malicious user "barney" by quickly using
- "xhost +" when logging in may possibly get the x11vnc
- process to switch to user "fred". What happens next?
+ Note that a malicious local user "barney" by
+ quickly using "xhost +" when logging in may possibly
+ get the x11vnc process to switch to user "fred".
+ What happens next?
Under display managers it may be a long time before
the switch succeeds (i.e. a user logs in). To instead
@@ -12468,29 +12470,46 @@ Options:
"nobody") is probably the only use of this option
that increases security.
+ Use the following notation to associate a group with
+ a user: user1.group1,user2.group2,... Note that
+ initgroups(2) will still be called first to try to
+ switch to ALL of a user's groups (primary and additional
+ groups). Only if that fails or it is not available
+ then the single group specified as above (or the user's
+ primary group if not specified) is switched to with
+ setgid(2). Use -env X11VNC_SINGLE_GROUP=1 to prevent
+ trying initgroups(2) and only switch to the single
+ group. This sort of setting is only really needed to
+ make the ultra or tight filetransfer permissions work
+ properly. This format applies to any comma separated lis
+t
+ of users, even the special "=" modes described below.
+
In -unixpw mode, if "-users unixpw=" is supplied
then after a user authenticates himself via the
-unixpw mechanism, x11vnc will try to switch to that
user as though "-users +username" had been supplied.
If you want to limit which users this will be done for,
provide them as a comma separated list after "unixpw="
+ Groups can also be specified as described above.
Similarly, in -ssl mode, if "-users sslpeer=" is
supplied then after an SSL client authenticates with his
cert (the -sslverify option is required for this) x11vnc
will extract a UNIX username from the "emailAddress"
- field (username@hostname.com) of the "Subject" in the
+ field (username@hostname.com) of the "Subject" of the
x509 SSL cert and then try to switch to that user as
though "-users +username" had been supplied. If you
want to limit which users this will be done for, provide
them as a comma separated list after "sslpeer=".
Set the env. var X11VNC_SSLPEER_CN to use the Common
Name (normally a hostname) instead of the Email field.
- NOTE: the x11vnc administrator must take great care
- that any client certs he adds to -sslverify have the
- correct UNIX username in the "emailAddress" field
- of the cert. Otherwise a user may be able to log in
- as another. The following command can be of use in
+
+ NOTE: for sslpeer= mode the x11vnc administrator must
+ take care that any client certs he adds to -sslverify
+ have the intended UNIX username in the "emailAddress"
+ field of the cert. Otherwise a user may be able to
+ log in as another. This command can be of use in
checking: "openssl x509 -text -in file.crt", see the
"Subject:" line. Also, along with the normal RFB_*
env. vars. (see -accept) passed to external cmd=
generated by cgit v1.2.1 (git 2.18.0) at 2025-01-12 10:35:47 +0000